It creates %WinDIR%\Windrive.exe (12,288 Bytes), which is an IRC Trojan. The worm connects to a predefined IRC server, for receiving on a special port its author's instructions.

The worm creates %WinDIR%\Winload.log, for saving the collected addresses.
It makes the following autostart registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "load32"="%WinDIR%\load32.exe"

It also changes the following registries:
HKEY_LOCAL_MACHINE\SOFTWARE\SARS "kwmfound" HKEY_Current_User\Software\Microsoft\WindowsNT\CurrentVersion\Windows "Run"="C:\%WinDIR%\Dllreg.exe"

The worm tries to infect all .exe files on drives C: to Z:.
It listens on TCP port 10000 for further instructions:
mkd: "Create a directory on the infected machine"
rmd: "Remove directory on the infected machine"
port: "Change the port to the port specified"
and on TCP port 1001 for:
!exec: "Execute program on the infected machine"
!cdopen: "Open the CD-ROM on the infected machine"
!sndplay: "Play a sound on the infected machine"
It tries to collect all clipboard information into %WinDIR%\Rundllx.sys. Then, it looks for .kwm files, saves their contents in %Windir%\Rundlln.sys and sends email format files containing the stolen information to a certain FTP server.